On January 6, 2021, the proposed Biometric Privacy Act (the “Act”) was introduced to the New York State legislature. If adopted as drafted, the Act will require:
- Any private entity that “possesses”¹ any biometric identifiers and/or information² (or “biometric data”) must have a written policy, publicly available³, establishing its retention and destruction schedule, as well as a secure means of destroying the data on the sooner of (i) when no longer needed for its original purpose of collection or (ii) after three years from the private entity’s interaction with the person providing the data.
- A private entity cannot acquire, collect, trade, store, purchase or capture biometric data, whether from the person themselves or a third party unless the entity first:
- Informs the subject that their data is being so collected, stored, captured, purchased and/or traded
- Informs the subject of the underlying legal purpose the data is being collected, stored and/or used
- Receives a written release4 from the person or their legal representative.
To be clear, this will apply whether the data is collected from an employee (consider a biometric time clock) or a customer (think thumb prints used at amusement parks and to unlock devices).
Further, the draft legislation proscribes Continue Reading First, There Was The New York Shield Act, and Now… The New York Biometric Privacy Act?